===== FreeBSD Jail =====

FreeBSD is a method used to create a virtual system within our system. The systems created with this method are completely independent from the main system. In this way, they are not affected by a possible security vulnerability. Also, when a service running in the jail is compromised, the services running on the main system are not affected.

Jails can be thought of as a kind of operating system-level virtualization.

It is a system that makes FreeBSD stand out from other operating systems in terms of security.

Bu sayfada anlatılan installation and usage information. It is about creating a completely separate structure called **Thick Jail**.

In addition, //VNET// features will be used to enable Jails to run on a separate network.

The installed jail will have all the basic FreeBSD files.

<WRAP round important>
The FreeBSD version running in the jail cannot be more up-to-date than the FreeBSD version running on the main system.
</WRAP>

<WRAP round help>
This article will explain Jail installation, usage and management.
  * Internet access is <wrap em>required</wrap> on your FreeBSD system.
  * The ''%%__JAIL_NAME__%%'' used throughout the article will be a name of your choice. The name **uch32bitjail** is used in the example commands.
  * The ''%%__VERSION__%%'' used throughout the article is the FreeBSD version of the jail you will install. The version used in the example commands is **13.2-RELEASE**.
  * Throughout the article, ''%%__ARCHITECTURE__%%'' is the FreeBSD architecture of the jail you will install. The architecture used in the example commands is **i386**.
    * The example commands are used for **i386** jail installation in **amd64** architecture.
</WRAP>

===== FreeBSD Jail Installation =====

Jail installation steps can be listed as follows.

  - Creation of folders.
  - Downloading the required base archive.
  - Making settings on the main system.
  - Creating and editing jail configuration files.

==== Folder Structure ====

Jails do not have to be kept in a specific directory. The script will use the directory ''/usr/jails''. You can change it if you want...

Run and create the folders by changing the necessary places in the command below.

<code bash>
mkdir -p /usr/jails/files
mkdir /usr/jails/__JAIL_NAME__
</code>

<WRAP round info>
The ''-p'' parameter creates folders recursively. So if the folder ''/usr/jails'' does not exist, it creates it too.
</WRAP>

==== Downloading Required Files ====

The downloaded files will be kept in ''/usr/jails/files'' to avoid re-downloading them when needed.

You can use it to quickly install a new jail if needed. However, if you are short on space, you can download these files again for each jail installation.

  * Edit and run the command below to download the necessary files.

> <code bash>
fetch https://download.freebsd.org/ftp/releases/__ARCHITECTURE__/__ARCHITECTURE__/__VERSION__/base.txz -o /usr/jails/files/__VERSION__-__ARCHITECTURE__-base.txz
</code>
>> **Example**;
>> <code bash>
fetch https://download.freebsd.org/ftp/releases/i386/i386/13.2-RELEASE/base.txz -o /usr/jails/files/13.2-RELEASE-i386-base.txz
</code>

  * Edit and run the following command to extract the downloaded //base// archive to the relevant jail location.

> <code bash>
tar -xpf /usr/jails/files/__VERSION__-__ARCHITECTURE__-base.txz -C /usr/jails/__JAIL_NAME__ --unlink
</code>
>> **Example**;
>> <code bash>
tar -xpf /usr/jails/files/13.2-RELEASE-i386-base.txz -C /usr/jails/uch32bitjail --unlink
</code>

  * If you are low on disk space, you can run the following command to delete the downloaded files. To install a new jail you will need to download it again.

> <code bash>
rm -f /usr/jails/files/__VERSION__-__ARCHITECTURE__-base.txz
</code>
>> **Example**;
>> <code bash>
rm -f /usr/jails/files/13.2-RELEASE-i386-base.txz
</code>

==== Main System Settings ====

For jails to work, some adjustments need to be made on the main system.

  * The internet connection and time settings for Jail need to be copied directly from the main system. Edit and run the following command.

> <code bash>
cp /etc/resolv.conf /usr/jails/__JAIL_NAME__/etc/resolv.conf
cp /etc/localtime /usr/jails/__JAIL_NAME__/etc/localtime
</code>
>> **Örnek**;
>> <code bash>
cp /etc/resolv.conf /usr/jails/uch32bitjail/etc/resolv.conf
cp /etc/localtime /usr/jails/uch32bitjail/etc/localtime
</code>

  * Edit and run the following command to get possible updates for Jail.

> <code bash>
freebsd-update -b /usr/jails/__JAIL_NAME__/ fetch install
</code>
>> **Örnek**;
>> <code bash>
freebsd-update -b /usr/jails/uch32bitjail/ fetch install
</code>

  * If you want the jails to start automatically when the machine starts, run the following command.((If you want to start them manually, skip this step. The command to start the jail will change according to this step.))

> <code bash>
sysrc jail_enable="YES" # Initially to start the jails.
sysrc jail_parallel_start="YES" # If you add this line, the jails will be started in the background.
</code>

==== VNET Settings ====

The jail prepared in this article is prepared completely independently from the main system. Therefore, the jail needs to run on a separate network. VNET will be used for this.

If you don't want your jail to have internet access via a separate network ((no internet connection at all or sharing the same ip with the main system)) you can skip this part.

  * Run the following command to create an adapter bridge.

> <code bash>
ifconfig bridge create
</code>
>> It should give you an output. This output contains the name of the bridge adapter. Make a note of this name.
>>> As an example ''bridge0''

  * Once the bridge is created, it will be necessary to add it to the ''em0'' interface by running the following command:

> Here ''em0'' is the adapter name of the device. This name may be different in your system. You can use the ''ifconfig'' command to find out.
>
> Below is a sample output. You can see the name in the highlighted line.
>><code sh [enable_line_numbers="true", ,highlight_lines_extra="1"]>
em0: flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=481009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER,NOMAP>
        ether 08:00:27:06:c2:65
        inet 192.168.1.47 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
</code>

  * Run the following command and add the bridge to interface em0. Here ''bridge0'' is the bridge name created in the previous command and ''em0'' is the network interface on the host system.

> <code bash>
ifconfig bridge0 addm em0
</code>

  * Add the following lines to the ''/etc/rc.conf'' file so that this happens automatically on every startup.

> <code bash>
defaultrouter="192.168.1.1"
cloned_interfaces="bridge0"
ifconfig_bridge0="inet 192.168.1.150/24 addm em0 up"
</code>

==== Jail Configuration ====

There are two ways to set configuration files for jails. If you are going to use a lot of jails, it makes more sense to choose the second way.

=== First Way ===

Configuration information is kept in a single file. This file is ''/etc/jail.conf''.

You need to add new entries to this file for each new jail.

=== Second Way ===

Configuration information is kept in a separate file for each jail. These files are kept in the ''/etc/jail.conf.d/'' folder.

For each new jail you need to create a new file in this folder. This method avoids confusion if you have many jails.

-----

Open the configuration file according to the selected method and add the highlighted lines by editing them.

Detailed information is written next to them as a comment.

<WRAP round important>
Pay attention to the line breaks in the files to be created. Use **LF** instead of **CRLF**. Otherwise unwanted results may occur.
</WRAP>

<file bash /etc/jail.conf [highlight_lines_extra="1,15,18"]>
__JAIL_NAME__ { # Jail'in ismi
  exec.start = "/bin/sh /etc/rc"; # Jail başlatıldığında çalıştırılacak olan komutlar.
  exec.stop = "/bin/sh /etc/rc.shutdown"; # Jail kapatıldığında çalıştırılacak olan komutlar.
  exec.consolelog = "/var/log/jail_console_${name}.log"; # Komu çıktılarının yazılacağı dosya.

  allow.raw_sockets; # Raw soketlerin kullanılmasına izin verir. (ping gibi)
  exec.clean; # Komutları temiz bir ortamda çalıştırılması.
  mount.devfs; # /dev dizinine bir devfs(5) dosya sistemi ekleme.

  host.hostname = "${name}"; 
  path = "/usr/jails/${name}"; # Komutların çalıştırılacağı dizin. Kısaca jail'in kurulu olduğu dizin.

  vnet;
  vnet.interface = "${epair}b";
  $id = "154"; # Ip adresinin son kısmını hesaplayacak olan değer. Her jail için farklı olmalıdır.
  $ip = "192.168.1.${id}/24";
  $gateway = "192.168.1.1";
  $bridge = "bridge0"; # vnet ayarlamalarında oluşturulan köprü ismi.
  $epair = "epair${id}";
  exec.prestart += "ifconfig ${epair} create up";
  exec.prestart += "ifconfig ${epair}a up descr jail:${name}";
  exec.prestart += "ifconfig ${bridge} addm ${epair}a up";
  exec.start    += "ifconfig ${epair}b ${ip} up";
  exec.start    += "route add default ${gateway}";
  exec.poststop = "ifconfig ${bridge} deletem ${epair}a";
  exec.poststop += "ifconfig ${epair}a destroy";
}
</file>


===== Jail Management =====

  * You can use the following command to list the jails currently running on the system.

> <code bash>
jls
</code>

  * You can use the command below to start Jail. If you have not set it to autostart at startup, you will have to use the command below.

> <code bash>
service jail start __JAIL_NAME__
service jail onestart __JAIL_NAME__
</code>

  * You can use the following command to stop the jail.

> <code bash>
service jail stop __JAIL_NAME__
</code>

  * You can use the following command to restart Jail.

> <code bash>
service jail restart __JAIL_NAME__
</code>

==== Jail'i Silme ====

<WRAP round info>
Since security is a top priority in FreeBSD, even root privileges are not enough to delete some files.
File flags control this system.
</WRAP>

  * First stop the jail you are going to delete. Then run the command below according to your jail and change the file flags.

> <code bash>
chflags -R 0 /usr/jails/__JAIL_NAME__
</code>

  * You can now delete the jail folder with the following command.

> <code bash>
rm -rf /usr/jails/__JAIL_NAME__
</code>

  * Finally, complete the deletion process by deleting the configuration file for the relevant jail. If you configured with the first way. Edit the ''/etc/jail.conf'' file. If you configured with the second way. Delete the file ''/etc/jail.conf.d/__JAIL_NAME__.conf''.

==== Jail Package Management ====

If you have not given internet access to your jail.((In this article, this part is omitted because internet access is given to jails with vnet.)) You can use the following command to install packages from the main system to jail.

> <code bash>
pkg -j __JAIL_NAME__ install __PACKET_NAME__
</code>
>> **Example**;
>> <code bash>
pkg -j uch32bitjail install wget
</code>

==== Jail Access ====

Although it is more convenient to manage the jail through the main system, you can access the jail with the following command.

<code bash>
jexec -u root __JAIL_NAME__
</code>

==== Command Execution on Jail ====

To run a command on Jail, you need to add the following prefix to the command you will run.

> <code bash>
jexec -l __JAIL_NAME__ __COMMAND__
</code>
>> **Örnek**;
>> <code bash>
jexec -l uch32bitjail service stop apache24
</code>

<wrap onlyprint>Taken from [[en:cs:op:bsd:jail|UCH Wiki]].</wrap>
<wrap hide>
https://wiki.ulascemh.com/doku.php?id=en:cs:op:bsd:jail
</wrap>